[Samba] Cannot authenticate as guest to domain-joined Samba 4.7.0 fileserver when map untrusted to domain = auto

[Andrew Martin]

Hello,

I just upgraded Samba on a fileserver from 4.6.8 to 4.7.0; this fileserver is
joined to a Samba4 AD Domain. I have configured the following options to allow
guest access to a share:

[global]
    guest account = nobody
    map to guest = Bad User

[Share]
    guest ok = yes

When attempting to connect from a local account on a Windows 7 client (the
client is joined to the domain but the local account is local to the machine), I
can no longer connect as a guest to this share, receiving STATUS_LOGON_FAILURE.
Looking into it further, I can successfully authenticate as a guest if I specify
the AD domain name (EXAMPLE.COM) or the hostname of the fileserver (FILESERVER)
but NOT if I use the hostname of the Windows 7 client (WINDOWS7CLIENT):

$ smbclient -WEXAMPLE.COM -L //fileserver/share -ULocalWindowsUser%
# this works

$ smbclient -WFILESERVER -L //fileserver/share -ULocalWindowsUser%
# this works

$ smbclient -WWINDOWS7CLIENT -L //fileserver/share -ULocalWindowsUser%
session setup failed: NT_STATUS_LOGON_FAILURE

I think setting "map untrusted to domain = no" will resolve this problem since
the user will get mapped to FILESERVER\LocalWindowsUser instead of
WINDOWS7CLIENT\LocalWindowsUser as it is now when set to "auto", however this is
not a long-term solution since it looks like this option is being removed in
Samba 4.8. How can I allow a local Windows user to authenticate as a guest to
this share?


Thanks,

Andrew